Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-5385

Improve AddValidationInformation to handle exceptional situations better




      While trying to create PAdES BASELINE-LTA signatures, the OP of this stack overflow question also tried to use the AddValidationInformation class to get from BASELINE-T to BASELINE-LT.

      Due to a bad choice of test CA (the gembox test pki) he stumbled from one problem to the next, see his comments to my answer (the answer itself focused on generating a PAdES conform CMS signature container). In this context he indirectly identified possible improvements to AddValidationInformation. In particular:

      • When doing web requests to retrieve certificates, CRLs, and OCSP responses, AddValidationInformation does not follow HTTP Moved Permanently/Temporarily responses across protocol changes because the Java URL connection implementations don't.
        While in general there might be valid security reasons for not following redirects across protocols, in the use case at hand redirects between HTTP and HTTPS URLs should be supported. In particular there likely are many HTTP-to-HTTPS redirects nowadays after in the recent years a lot of sites started redirecting that way even for their freely accessible resources.
      • Other connection issues also result in exceptions that the AddValidationInformation class does not handle itself but allows to go through and cancel the whole process.
        Here the helper should catch more and continue working; for example, if there are currently problems to retrieve revocation information from the OCSP responder of some PKI, one can try and retrieve a CRL instead.
      • Reading the specification there are two variants of OCSP-via-HTTP requests, one using GET with URL encoded request data and one using POST with the request data in the body. At first glance the OcspHelper.performRequest() method looks like it executes a mix thereof, using GET (by default) combined with the request data in the body.
        Probably many OCSP responders supports this, ignoring the method and retrieving the request data from wherever they are. Nonetheless, this should be investigated (maybe my first glance ignored something relevant) and fixed if applicable.


        1. SO71225696_signed.pdf
          36 kB
          Tilman Hausherr



            tilman Tilman Hausherr
            mkl Michael Klink
            0 Vote for this issue
            3 Start watching this issue